netifera guide

Setup

Download the Netifera zip file from the web site and uncompress it in some directory. It should create a netifera/ directory. In both Linux and Mac OS X you will need to run backdoor_install.sh as root:

cd netifera
sudo ./backdoor_install.sh

This will create a suid root file named 'backdoor' which is necesary for sniffing. If you dont do this, Netifera won't be able to sniff. Note that if your file system is nosuid (for example, /tmp and /home in some distributions) it wont work.

A detailed description of how the backdoor works and why it is necessary is available in our blog

Now you can start the application running the netifera executable file

./netifera

notes

If you have created workspaces with old or beta versions of netifera remove the .netifera folder from your home directory.

On 64bit linux systems install the ia32-libs package. If you run netifera and the 32bit libraries
are not installed the following error is displayed:

bash: ./netifera: No such file or directory

User Interface Concepts

Entity

An entity is an object of a particular type of information that has
been collected. Entities appear in the user interface with an icon and
a text label that describes the entity.

Workspace

The Workspace is an instance of the database where entities are stored.
A workspace can be very large and contain thousands of entities. One of
the primary goals of Netifera is to be able to handle large amounts of
network information.

New workspaces can be created with the 'New Workspace' toolbar button
and previously created workspaces can be opened with the 'Open
Workspace' button.

Spaces

To manage the complexity and allow the user to organize the information
they are collecting the information in a workspace in divided into spaces.
A Space contains a subset of the information in the entire Workspace.
Spaces help to avoid information cluttering, allowing the user to
divide his work into smaller pieces. A space in the user interface is
conceptually similar to a tab in a tabbed web browser. A new empty
space can be opened with Control-T (Command-T on OS X) or the 'New
Space' toolbar button.

Input Bar

The input bar is used to manually add new entities to a space. Simply
enter a description of the entity into the input bar and press enter or
the add button. The new entity will appear in the current foreground
space.

The input bar understands input in the following formats:

Hosts by IP address: 192.168.0.1

Netblocks in CIDR notation: 192.168.0.0/24

HTTP URLs: http://yahoo.com/

Email addresses: john@yahoo.com

Host names: www.yahoo.com

Domains: .yahoo.com

Perspectives

A perspective is a configuration of the UI for a particular task.
Selecting a new perspective will change both the layout of the UI
windows and the set of menu and toolbar actions that are available.

You can switch to another perspective via the menu Window ->
Open Perspective -> Other, or with the set of buttons right side
of the main toolbar.

Action Hover

To run an action against an entity, move the mouse pointer over the name of
any entity in the current space and in a moment a special hover
dialog will appear with some information about the selected entity as well
as a list of actions that are available to launch. Different entities will
have different actions that can be launched against them. For example,
the action hover for a host will include actions to port scan the host
and the action hover for a domain will include actions to discover the
name and mail servers for the domain. Pressing the space bar will also
show the actions for the selected entity.

Tasks View

The Tasks View contains information about the actions that have been
launched in the current Space. When an action is launched on an entity
a new task will appear in this view. The progress of the task will be
displayed as well as information which has been produced by the task.

Tags

Entities can be tagged with arbitrary tags. This, together with other
information, is shown in the entity hover. For each tag in a Space,
Netifera creates a virtual folder that contains all entities in the
Space that have this tag. Entities can have more than one tag, so could
be contained in more than one folder.

Entering entities
and running tools

When you start netifera for the first time, a new Workspace will be
created with a new empty Space. Now, in order to be able to run tools,
you need to add entities to the Space.

Once you have entered new entities through the Input Bar, they will
appear in the currently active Space. Then, you can select an entity in
the Space and after a moment a Hover will appear showing the Actions
available for that entity.

Try entering some netblock, for example 172.16.42.0/24. Then select the
entity to get the hover, and start running actions on it.

Sniffing Service

After switching to the sniffing perspective, the toolbar will change
and display actions for using the sniffing service. The sniffing
service can be used to either capture live traffic from one or more
network interfaces, or it can be used to parse a pcap format capture
file.

Configuring the
Sniffing Service

The "Configure Sniffing Service" toolbar button will open a dialog
which can be used to configure the sniffing service before launching
it. In this dialog you can select the interfaces you would like to
sniff on during a live capture as well as enable and disable individual
sniffing modules. The set of enabled modules that you select will be
applied to both a live capture or a pcap capture file that you choose
to open.

Backdoor

What is backdoor?

On Linux and OS X root privileges are required to capture packets from
the network. To avoid the inconvenience of running netifera as root we
have created a small native binary called backdoor
which opens network interfaces for packet capture. If this binary is
installed
with suid root file ownership and permissions (ie: chown root backdoor;
chmod 4755 backdoor) netifera will use it to open network devices for
sniffing.

How does it work?

When netifera needs to open a privileged descriptor it creates a pair
of unix domain sockets with socketpair() and executes the backdoor
binary with one side of the socket pair bound to a known file
descriptor value (0). The backdoor binary creates the requested
descriptor, and passes it back to netifera using a unix feature for
passing file descriptors between processes over a socket. The backdoor
binary accepts a command line argument of a single integer.

On Linux this value can be either 0 or 1 and is interpreted as follows: